npm - @valencets/cms - Versions diffs - 0.1.0 - Mend

@valencets/cms 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (218) hide show

package/README.md +486 -0
package/dist/access/access-resolver.d.ts +6 -0
package/dist/access/access-resolver.d.ts.map +1 -0
package/dist/access/access-resolver.js +12 -0
package/dist/access/access-resolver.js.map +1 -0
package/dist/access/access-types.d.ts +22 -0
package/dist/access/access-types.d.ts.map +1 -0
package/dist/access/access-types.js +2 -0
package/dist/access/access-types.js.map +1 -0
package/dist/access/index.d.ts +3 -0
package/dist/access/index.d.ts.map +1 -0
package/dist/access/index.js +2 -0
package/dist/access/index.js.map +1 -0
package/dist/admin/admin-routes.d.ts +9 -0
package/dist/admin/admin-routes.d.ts.map +1 -0
package/dist/admin/admin-routes.js +139 -0
package/dist/admin/admin-routes.js.map +1 -0
package/dist/admin/dashboard.d.ts +3 -0
package/dist/admin/dashboard.d.ts.map +1 -0
package/dist/admin/dashboard.js +9 -0
package/dist/admin/dashboard.js.map +1 -0
package/dist/admin/edit-view.d.ts +8 -0
package/dist/admin/edit-view.d.ts.map +1 -0
package/dist/admin/edit-view.js +21 -0
package/dist/admin/edit-view.js.map +1 -0
package/dist/admin/escape.d.ts +2 -0
package/dist/admin/escape.d.ts.map +1 -0
package/dist/admin/escape.js +9 -0
package/dist/admin/escape.js.map +1 -0
package/dist/admin/field-renderers.d.ts +3 -0
package/dist/admin/field-renderers.d.ts.map +1 -0
package/dist/admin/field-renderers.js +60 -0
package/dist/admin/field-renderers.js.map +1 -0
package/dist/admin/index.d.ts +8 -0
package/dist/admin/index.d.ts.map +1 -0
package/dist/admin/index.js +8 -0
package/dist/admin/index.js.map +1 -0
package/dist/admin/layout.d.ts +9 -0
package/dist/admin/layout.d.ts.map +1 -0
package/dist/admin/layout.js +38 -0
package/dist/admin/layout.js.map +1 -0
package/dist/admin/list-view.d.ts +8 -0
package/dist/admin/list-view.d.ts.map +1 -0
package/dist/admin/list-view.js +21 -0
package/dist/admin/list-view.js.map +1 -0
package/dist/api/http-utils.d.ts +10 -0
package/dist/api/http-utils.d.ts.map +1 -0
package/dist/api/http-utils.js +29 -0
package/dist/api/http-utils.js.map +1 -0
package/dist/api/index.d.ts +6 -0
package/dist/api/index.d.ts.map +1 -0
package/dist/api/index.js +4 -0
package/dist/api/index.js.map +1 -0
package/dist/api/local-api.d.ts +52 -0
package/dist/api/local-api.d.ts.map +1 -0
package/dist/api/local-api.js +82 -0
package/dist/api/local-api.js.map +1 -0
package/dist/api/read-body.d.ts +6 -0
package/dist/api/read-body.d.ts.map +1 -0
package/dist/api/read-body.js +27 -0
package/dist/api/read-body.js.map +1 -0
package/dist/api/rest-api.d.ts +12 -0
package/dist/api/rest-api.d.ts.map +1 -0
package/dist/api/rest-api.js +100 -0
package/dist/api/rest-api.js.map +1 -0
package/dist/auth/auth-config.d.ts +12 -0
package/dist/auth/auth-config.d.ts.map +1 -0
package/dist/auth/auth-config.js +28 -0
package/dist/auth/auth-config.js.map +1 -0
package/dist/auth/auth-routes.d.ts +5 -0
package/dist/auth/auth-routes.d.ts.map +1 -0
package/dist/auth/auth-routes.js +108 -0
package/dist/auth/auth-routes.js.map +1 -0
package/dist/auth/cookie.d.ts +2 -0
package/dist/auth/cookie.d.ts.map +1 -0
package/dist/auth/cookie.js +9 -0
package/dist/auth/cookie.js.map +1 -0
package/dist/auth/csrf.d.ts +3 -0
package/dist/auth/csrf.d.ts.map +1 -0
package/dist/auth/csrf.js +14 -0
package/dist/auth/csrf.js.map +1 -0
package/dist/auth/index.d.ts +12 -0
package/dist/auth/index.d.ts.map +1 -0
package/dist/auth/index.js +9 -0
package/dist/auth/index.js.map +1 -0
package/dist/auth/middleware.d.ts +9 -0
package/dist/auth/middleware.d.ts.map +1 -0
package/dist/auth/middleware.js +26 -0
package/dist/auth/middleware.js.map +1 -0
package/dist/auth/password.d.ts +5 -0
package/dist/auth/password.d.ts.map +1 -0
package/dist/auth/password.js +16 -0
package/dist/auth/password.js.map +1 -0
package/dist/auth/rate-limit.d.ts +12 -0
package/dist/auth/rate-limit.d.ts.map +1 -0
package/dist/auth/rate-limit.js +30 -0
package/dist/auth/rate-limit.js.map +1 -0
package/dist/auth/session.d.ts +9 -0
package/dist/auth/session.d.ts.map +1 -0
package/dist/auth/session.js +31 -0
package/dist/auth/session.js.map +1 -0
package/dist/config/cms-config.d.ts +26 -0
package/dist/config/cms-config.d.ts.map +1 -0
package/dist/config/cms-config.js +61 -0
package/dist/config/cms-config.js.map +1 -0
package/dist/config/index.d.ts +4 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +2 -0
package/dist/config/index.js.map +1 -0
package/dist/config/plugin.d.ts +3 -0
package/dist/config/plugin.d.ts.map +1 -0
package/dist/config/plugin.js +2 -0
package/dist/config/plugin.js.map +1 -0
package/dist/db/column-map.d.ts +4 -0
package/dist/db/column-map.d.ts.map +1 -0
package/dist/db/column-map.js +34 -0
package/dist/db/column-map.js.map +1 -0
package/dist/db/index.d.ts +10 -0
package/dist/db/index.d.ts.map +1 -0
package/dist/db/index.js +7 -0
package/dist/db/index.js.map +1 -0
package/dist/db/migration-generator.d.ts +18 -0
package/dist/db/migration-generator.d.ts.map +1 -0
package/dist/db/migration-generator.js +126 -0
package/dist/db/migration-generator.js.map +1 -0
package/dist/db/query-builder.d.ts +35 -0
package/dist/db/query-builder.d.ts.map +1 -0
package/dist/db/query-builder.js +222 -0
package/dist/db/query-builder.js.map +1 -0
package/dist/db/query-types.d.ts +36 -0
package/dist/db/query-types.d.ts.map +1 -0
package/dist/db/query-types.js +12 -0
package/dist/db/query-types.js.map +1 -0
package/dist/db/safe-query.d.ts +6 -0
package/dist/db/safe-query.d.ts.map +1 -0
package/dist/db/safe-query.js +9 -0
package/dist/db/safe-query.js.map +1 -0
package/dist/db/sql-sanitize.d.ts +7 -0
package/dist/db/sql-sanitize.d.ts.map +1 -0
package/dist/db/sql-sanitize.js +27 -0
package/dist/db/sql-sanitize.js.map +1 -0
package/dist/hooks/hook-runner.d.ts +5 -0
package/dist/hooks/hook-runner.d.ts.map +1 -0
package/dist/hooks/hook-runner.js +18 -0
package/dist/hooks/hook-runner.js.map +1 -0
package/dist/hooks/hook-types.d.ts +25 -0
package/dist/hooks/hook-types.d.ts.map +1 -0
package/dist/hooks/hook-types.js +2 -0
package/dist/hooks/hook-types.js.map +1 -0
package/dist/hooks/index.d.ts +3 -0
package/dist/hooks/index.d.ts.map +1 -0
package/dist/hooks/index.js +2 -0
package/dist/hooks/index.js.map +1 -0
package/dist/index.d.ts +21 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +13 -0
package/dist/index.js.map +1 -0
package/dist/media/index.d.ts +5 -0
package/dist/media/index.d.ts.map +1 -0
package/dist/media/index.js +4 -0
package/dist/media/index.js.map +1 -0
package/dist/media/media-config.d.ts +6 -0
package/dist/media/media-config.d.ts.map +1 -0
package/dist/media/media-config.js +37 -0
package/dist/media/media-config.js.map +1 -0
package/dist/media/serve-handler.d.ts +3 -0
package/dist/media/serve-handler.d.ts.map +1 -0
package/dist/media/serve-handler.js +47 -0
package/dist/media/serve-handler.js.map +1 -0
package/dist/media/upload-handler.d.ts +9 -0
package/dist/media/upload-handler.d.ts.map +1 -0
package/dist/media/upload-handler.js +63 -0
package/dist/media/upload-handler.js.map +1 -0
package/dist/schema/collection.d.ts +19 -0
package/dist/schema/collection.d.ts.map +1 -0
package/dist/schema/collection.js +7 -0
package/dist/schema/collection.js.map +1 -0
package/dist/schema/field-types.d.ts +73 -0
package/dist/schema/field-types.d.ts.map +1 -0
package/dist/schema/field-types.js +13 -0
package/dist/schema/field-types.js.map +1 -0
package/dist/schema/fields.d.ts +14 -0
package/dist/schema/fields.d.ts.map +1 -0
package/dist/schema/fields.js +33 -0
package/dist/schema/fields.js.map +1 -0
package/dist/schema/global.d.ts +8 -0
package/dist/schema/global.d.ts.map +1 -0
package/dist/schema/global.js +4 -0
package/dist/schema/global.js.map +1 -0
package/dist/schema/index.d.ts +13 -0
package/dist/schema/index.d.ts.map +1 -0
package/dist/schema/index.js +7 -0
package/dist/schema/index.js.map +1 -0
package/dist/schema/infer.d.ts +20 -0
package/dist/schema/infer.d.ts.map +1 -0
package/dist/schema/infer.js +2 -0
package/dist/schema/infer.js.map +1 -0
package/dist/schema/registry.d.ts +19 -0
package/dist/schema/registry.d.ts.map +1 -0
package/dist/schema/registry.js +65 -0
package/dist/schema/registry.js.map +1 -0
package/dist/schema/types.d.ts +15 -0
package/dist/schema/types.d.ts.map +1 -0
package/dist/schema/types.js +10 -0
package/dist/schema/types.js.map +1 -0
package/dist/validation/index.d.ts +3 -0
package/dist/validation/index.d.ts.map +1 -0
package/dist/validation/index.js +3 -0
package/dist/validation/index.js.map +1 -0
package/dist/validation/validators.d.ts +3 -0
package/dist/validation/validators.d.ts.map +1 -0
package/dist/validation/validators.js +9 -0
package/dist/validation/validators.js.map +1 -0
package/dist/validation/zod-generator.d.ts +5 -0
package/dist/validation/zod-generator.d.ts.map +1 -0
package/dist/validation/zod-generator.js +83 -0
package/dist/validation/zod-generator.js.map +1 -0
package/package.json +39 -0

package/README.md ADDED Viewed

@@ -0,0 +1,486 @@
+# @valencets/cms
+> See the [CMS Guide on the wiki](https://github.com/valencets/valence/wiki/Packages:-Cms) for the latest documentation.
+Schema-driven CMS for Valence. Define a schema, get a database, admin interface, REST API, validation, auth, and media uploads out of the box.
+## Quick Start
+```typescript
+import { buildCms, collection, field, global } from '@valencets/cms'
+import { createPool } from '@valencets/db'
+const pool = createPool({ host: 'localhost', port: 5432, database: 'myapp', username: 'postgres', password: '', max: 10, idle_timeout: 20, connect_timeout: 10 })
+const result = buildCms({
+  db: pool,
+  secret: process.env.CMS_SECRET,
+  uploadDir: './uploads',
+  collections: [
+    collection({
+      slug: 'posts',
+      labels: { singular: 'Post', plural: 'Posts' },
+      fields: [
+        field.text({ name: 'title', required: true }),
+        field.slug({ name: 'slug', required: true, unique: true }),
+        field.textarea({ name: 'body' }),
+        field.boolean({ name: 'published' }),
+        field.select({
+          name: 'status',
+          options: [
+            { label: 'Draft', value: 'draft' },
+            { label: 'Published', value: 'published' }
+          ]
+        }),
+        field.date({ name: 'publishedAt' }),
+        field.relation({ name: 'author', relationTo: 'users' }),
+        field.group({
+          name: 'seo',
+          fields: [
+            field.text({ name: 'metaTitle' }),
+            field.textarea({ name: 'metaDescription' })
+          ]
+        })
+      ]
+    }),
+    collection({
+      slug: 'users',
+      auth: true,
+      fields: [
+        field.text({ name: 'name', required: true })
+      ]
+    }),
+    collection({
+      slug: 'media',
+      upload: true,
+      fields: [
+        field.text({ name: 'alt' })
+      ]
+    })
+  ],
+  globals: [
+    global({
+      slug: 'site-settings',
+      label: 'Site Settings',
+      fields: [
+        field.text({ name: 'siteName', required: true }),
+        field.textarea({ name: 'siteDescription' })
+      ]
+    })
+  ]
+})
+if (result.isErr()) {
+  console.error('CMS init failed:', result.error.message)
+  process.exit(1)
+}
+const cms = result.value
+// cms.api        — Local API (find, create, update, delete)
+// cms.restRoutes — Auto-generated REST endpoints
+// cms.adminRoutes — Server-rendered admin panel
+// cms.collections — Collection registry
+// cms.globals     — Global registry
+```
+## Schema
+### Collections
+Collections are database-backed document types. Each collection gets a PostgreSQL table, Zod validation, REST endpoints, and admin UI.
+```typescript
+import { collection, field } from '@valencets/cms'
+const pages = collection({
+  slug: 'pages',                              // Table name, URL path segment
+  labels: { singular: 'Page', plural: 'Pages' }, // Admin UI labels (optional)
+  timestamps: true,                           // created_at, updated_at (default true)
+  auth: false,                                // Enable auth (auto-adds email, password_hash)
+  upload: false,                              // Enable media uploads (auto-adds file fields)
+  fields: [/* ... */]
+})
+```
+### Field Types (v0.1)
+| Factory | PG Type | Zod Type | Options |
+|---------|---------|----------|---------|
+| `field.text()` | `TEXT` | `z.string()` | `minLength`, `maxLength` |
+| `field.textarea()` | `TEXT` | `z.string()` | `minLength`, `maxLength` |
+| `field.number()` | `INTEGER`/`NUMERIC` | `z.number()` | `min`, `max`, `hasDecimals` |
+| `field.boolean()` | `BOOLEAN` | `z.boolean()` | — |
+| `field.select()` | `TEXT` + CHECK | `z.enum()` | `options: [{label, value}]`, `hasMany` |
+| `field.date()` | `TIMESTAMPTZ` | `z.string()` | — |
+| `field.slug()` | `TEXT` | `z.string()` | `slugFrom` (auto-generate from field) |
+| `field.media()` | `UUID` FK | `z.string().uuid()` | `relationTo` |
+| `field.relation()` | `UUID` FK | `z.string().uuid()` | `relationTo`, `hasMany` |
+| `field.group()` | `JSONB` | nested object | `fields: [...]` |
+All fields share base options: `name` (required), `required`, `unique`, `index`, `defaultValue`, `hidden`, `localized`, `label`.
+### Globals
+Singleton documents (site settings, navigation, footer). One row per global.
+```typescript
+import { global, field } from '@valencets/cms'
+const siteSettings = global({
+  slug: 'site-settings',
+  label: 'Site Settings',
+  fields: [
+    field.text({ name: 'siteName', required: true }),
+    field.textarea({ name: 'siteDescription' })
+  ]
+})
+```
+### Type Inference
+Extract TypeScript types from field definitions at the type level:
+```typescript
+import type { InferFieldsType } from '@valencets/cms'
+const postFields = [
+  field.text({ name: 'title' }),
+  field.number({ name: 'order' }),
+  field.boolean({ name: 'active' })
+] as const
+type Post = InferFieldsType<typeof postFields>
+// { title: string, order: number, active: boolean }
+```
+## Local API
+Direct function calls for server-side operations. All methods return `ResultAsync<T, CmsError>`.
+```typescript
+const cms = buildCms(config)._unsafeUnwrap()
+const api = cms.api
+// Find all
+const posts = await api.find({ collection: 'posts' })
+// Find with filters
+const published = await api.find({
+  collection: 'posts',
+  where: { published: true },
+  limit: 10
+})
+// Find by ID
+const post = await api.findByID({ collection: 'posts', id: 'uuid-here' })
+// Create
+const newPost = await api.create({
+  collection: 'posts',
+  data: { title: 'Hello', slug: 'hello' }
+})
+// Update
+const updated = await api.update({
+  collection: 'posts',
+  id: 'uuid-here',
+  data: { title: 'Updated' }
+})
+// Delete (soft delete)
+const deleted = await api.delete({ collection: 'posts', id: 'uuid-here' })
+// Count
+const count = await api.count({ collection: 'posts' })
+// Globals
+const settings = await api.findGlobal({ slug: 'site-settings' })
+const updatedSettings = await api.updateGlobal({
+  slug: 'site-settings',
+  data: { siteName: 'New Name' }
+})
+```
+## REST API
+Auto-generated JSON endpoints per collection. Requires `Content-Type: application/json` on mutating requests.
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/api/:collection` | List documents |
+| `POST` | `/api/:collection` | Create document (Zod validated) |
+| `GET` | `/api/:collection/:id` | Get document by ID |
+| `PATCH` | `/api/:collection/:id` | Update document (Zod validated) |
+| `DELETE` | `/api/:collection/:id` | Soft delete document |
+### Auth Endpoints (when `auth: true` collection exists)
+| Method | Path | Description |
+|--------|------|-------------|
+| `POST` | `/api/users/login` | Login (email + password, Zod validated) |
+| `POST` | `/api/users/logout` | Logout (clears session cookie) |
+| `GET` | `/api/users/me` | Current user (requires session) |
+### Media Endpoints (when `uploadDir` configured with `upload: true` collection)
+| Method | Path | Description |
+|--------|------|-------------|
+| `POST` | `/media/upload` | Upload file (raw body, `X-Filename` header) |
+| `GET` | `/media/:filename` | Serve uploaded file |
+## Admin Panel
+Server-rendered HTML admin interface. Auto-generated from registered collections.
+- `/admin` — Dashboard with collection cards
+- `/admin/:collection` — Document list with table
+- `/admin/:collection/new` — Create form (CSRF protected, Zod validated)
+- `/admin/:collection/:id/edit` — Edit form
+### Auth Protection
+```typescript
+const routes = createAdminRoutes(pool, collections, { requireAuth: true })
+// All admin routes return 401 without valid session cookie
+```
+## Query Builder
+Chainable query API wrapping PostgreSQL's parameterized queries via `sql.unsafe()`.
+```typescript
+const qb = createQueryBuilder(pool, registry)
+// Chain operations
+const result = await qb.query('posts')
+  .where('published', 'equals', true)
+  .where('status', 'not_equals', 'draft')
+  .orderBy('created_at', 'desc')
+  .limit(10)
+  .all()
+// Pagination
+const page = await qb.query('posts')
+  .where('published', true)
+  .page(1, 10)
+// Returns { docs, totalDocs, page, totalPages, limit, hasNextPage, hasPrevPage }
+// Shorthand where (defaults to equals)
+qb.query('posts').where('slug', 'hello-world').first()
+// Include soft-deleted rows
+qb.query('posts').withDeleted().all()
+```
+### Where Operators
+`equals`, `not_equals`, `greater_than`, `less_than`, `greater_than_or_equal`, `less_than_or_equal`, `like`, `in`, `exists`
+## Migrations
+Generate PostgreSQL DDL from collection schemas.
+```typescript
+import { generateCreateTableSql, generateAlterTableSql, generateCreateTable } from '@valencets/cms'
+// Generate CREATE TABLE
+const sql = generateCreateTableSql(postsCollection)
+// CREATE TABLE IF NOT EXISTS "posts" (
+//   "id" UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+//   "title" TEXT NOT NULL,
+//   "slug" TEXT NOT NULL UNIQUE,
+//   ...
+//   "created_at" TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+//   "updated_at" TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+//   "deleted_at" TIMESTAMPTZ
+// );
+// Generate ALTER TABLE for schema changes
+const alterSql = generateAlterTableSql('posts', {
+  added: [field.text({ name: 'subtitle' })],
+  removed: ['old_field'],
+  changed: [field.number({ name: 'price', hasDecimals: true })]
+})
+// Generate migration file (with name + up/down)
+const migration = generateCreateTable(postsCollection)
+// Returns Result<{ name: '1234_create_posts', up: 'CREATE TABLE...', down: 'DROP TABLE...' }, CmsError>
+```
+## Auth
+Argon2id password hashing. Session-based authentication with secure cookie flags.
+```typescript
+import { hashPassword, verifyPassword, createSession, validateSession } from '@valencets/cms'
+// Hash password
+const hash = await hashPassword('my-password')
+// Returns ResultAsync<string, CmsError>
+// Verify password
+const valid = await verifyPassword('my-password', hash)
+// Returns ResultAsync<boolean, CmsError>
+// Session management
+const sessionId = await createSession(userId, pool)
+const userId = await validateSession(sessionId, pool)
+await destroySession(sessionId, pool)
+```
+### Session Cookies
+- `HttpOnly` — not accessible to JavaScript
+- `SameSite=Strict` — not sent on cross-site requests
+- `Secure` — HTTPS only
+- `Max-Age=7200` — 2 hour expiration
+### Rate Limiting
+Login endpoint rate-limited to 5 attempts per email per 15 minutes. Returns `429 Too Many Requests` when exceeded.
+### CSRF Protection
+Admin form POST handlers are protected with one-time CSRF tokens:
+- GET renders a hidden `_csrf` field in the form
+- POST validates the token (constant-time comparison)
+- Tokens expire after 1 hour
+- Each token is consumed on use
+## Access Control
+Per-collection, per-operation access functions returning `boolean` or `WhereClause` for row-level security.
+```typescript
+import { collection, field } from '@valencets/cms'
+import type { CollectionAccess } from '@valencets/cms'
+const access: CollectionAccess = {
+  create: ({ req }) => req?.headers['x-role'] === 'admin',
+  read: () => ({ and: [{ field: 'published', operator: 'equals', value: true }] }),
+  update: ({ req }) => req?.headers['x-role'] === 'admin',
+  delete: ({ req }) => req?.headers['x-role'] === 'admin'
+}
+```
+## Hooks
+Lifecycle hooks for collections. Hooks execute sequentially. Return data to transform it through the chain, or `undefined` to pass through.
+```typescript
+import type { CollectionHooks } from '@valencets/cms'
+const hooks: CollectionHooks = {
+  beforeValidate: [(args) => ({ ...args.data, slug: slugify(args.data.title) })],
+  beforeChange: [],
+  afterChange: [(args) => { notifyWebhook(args.data); return undefined }],
+  beforeRead: [],
+  afterRead: [],
+  beforeDelete: [],
+  afterDelete: []
+}
+```
+## Plugins
+Pure functional config transformers. Plugins receive the CMS config and return a modified version.
+```typescript
+import type { Plugin } from '@valencets/cms'
+const seoPlugin: Plugin = (config) => ({
+  ...config,
+  collections: config.collections.map(col => ({
+    ...col,
+    fields: [
+      ...col.fields,
+      field.group({
+        name: 'seo',
+        fields: [
+          field.text({ name: 'metaTitle' }),
+          field.textarea({ name: 'metaDescription' })
+        ]
+      })
+    ]
+  }))
+})
+const cms = buildCms({
+  ...config,
+  plugins: [seoPlugin]
+})
+```
+## Validation
+Zod schemas generated from field definitions. `.safeParse()` only — never `.parse()`.
+```typescript
+import { generateZodSchema, generatePartialSchema } from '@valencets/cms'
+const schema = generateZodSchema(postsCollection.fields)
+const result = schema.safeParse({ title: 'Hello', slug: 'hello' })
+if (!result.success) {
+  console.log(result.error.issues)
+}
+// Partial schema for updates (all fields optional, types still validated)
+const partialSchema = generatePartialSchema(postsCollection.fields)
+partialSchema.safeParse({ title: 'Updated' }) // OK, slug not required
+```
+## Error Handling
+All operations return `Result<T, CmsError>` or `ResultAsync<T, CmsError>`. No exceptions.
+```typescript
+import { CmsErrorCode } from '@valencets/cms'
+const result = await api.findByID({ collection: 'posts', id: 'missing' })
+result.match(
+  (doc) => console.log('Found:', doc),
+  (err) => {
+    // err.code is one of:
+    // NOT_FOUND, INVALID_INPUT, VALIDATION_FAILED,
+    // DUPLICATE_SLUG, UNAUTHORIZED, FORBIDDEN, INTERNAL
+    console.error(err.code, err.message)
+  }
+)
+```
+## Security
+- **SQL injection** — All queries use parameterized values via `sql.unsafe()`. Identifiers validated against `[a-zA-Z][a-zA-Z0-9_-]*` regex and checked against collection schema before interpolation.
+- **XSS** — All HTML output uses `escapeHtml()` (escapes `& < > " '`). No raw interpolation.
+- **CSRF** — One-time tokens with constant-time validation and 1-hour TTL on admin forms. REST API requires `Content-Type: application/json`.
+- **Path traversal** — Media filenames validated against `[a-zA-Z0-9][a-zA-Z0-9._-]*`, resolved paths checked with `startsWith(uploadDir)`.
+- **Auth** — Argon2id hashing, `HttpOnly; SameSite=Strict; Secure` cookies, rate limiting on login.
+- **Input validation** — Zod schemas enforced on REST POST/PATCH and admin form POST.
+## Module Map
+```
+packages/cms/src/
+├── schema/          # collection(), global(), field.*, registry, type inference
+├── validation/      # Zod schema generator, slug/email validators
+├── db/              # Query builder, migration generator, SQL sanitization
+├── access/          # Access control types and resolver
+├── hooks/           # Lifecycle hook types and runner
+├── auth/            # Password hashing, sessions, middleware, CSRF, rate limiting
+├── api/             # Local API, REST API, HTTP utilities
+├── admin/           # Server-rendered admin panel (layout, views, field renderers)
+├── media/           # Upload/serve handlers, MIME detection
+├── config/          # buildCms() entry point, plugin system
+└── index.ts         # Package barrel export
+```
+## Testing
+270 tests across 34 test files.
+```bash
+pnpm --filter=cms test
+```

package/dist/access/access-resolver.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import { ResultAsync } from 'neverthrow';
+import type { CmsError } from '../schema/types.js';
+import type { WhereClause } from '../db/query-types.js';
+import type { AccessControlFunction, AccessArgs } from './access-types.js';
+export declare function resolveAccess(accessFn: AccessControlFunction | undefined, args: AccessArgs): ResultAsync<boolean | WhereClause, CmsError>;
+//# sourceMappingURL=access-resolver.d.ts.map

package/dist/access/access-resolver.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"access-resolver.d.ts","sourceRoot":"","sources":["../../src/access/access-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AAExC,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAA;AAClD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AACvD,OAAO,KAAK,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAE1E,wBAAgB,aAAa,CAC3B,QAAQ,EAAE,qBAAqB,GAAG,SAAS,EAC3C,IAAI,EAAE,UAAU,GACf,WAAW,CAAC,OAAO,GAAG,WAAW,EAAE,QAAQ,CAAC,CAY9C"}

package/dist/access/access-resolver.js ADDED Viewed

@@ -0,0 +1,12 @@
+import { ResultAsync } from 'neverthrow';
+import { CmsErrorCode } from '../schema/types.js';
+export function resolveAccess(accessFn, args) {
+    if (accessFn === undefined) {
+        return ResultAsync.fromSafePromise(Promise.resolve(true));
+    }
+    return ResultAsync.fromPromise(Promise.resolve().then(() => accessFn(args)), (e) => ({
+        code: CmsErrorCode.INTERNAL,
+        message: e instanceof Error ? e.message : 'Access check failed'
+    }));
+}
+//# sourceMappingURL=access-resolver.js.map

package/dist/access/access-resolver.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"access-resolver.js","sourceRoot":"","sources":["../../src/access/access-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AACxC,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAKjD,MAAM,UAAU,aAAa,CAC3B,QAA2C,EAC3C,IAAgB;IAEhB,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,OAAO,WAAW,CAAC,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC,IAA6B,CAAC,CAAC,CAAA;IACpF,CAAC;IAED,OAAO,WAAW,CAAC,WAAW,CAC5B,OAAO,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAC5C,CAAC,CAAU,EAAY,EAAE,CAAC,CAAC;QACzB,IAAI,EAAE,YAAY,CAAC,QAAQ;QAC3B,OAAO,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,qBAAqB;KAChE,CAAC,CACH,CAAA;AACH,CAAC"}

package/dist/access/access-types.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+import type { WhereClause } from '../db/query-types.js';
+export interface AccessArgs {
+    readonly req?: {
+        readonly headers: Record<string, string>;
+    } | undefined;
+    readonly id?: string | undefined;
+    readonly data?: Record<string, string | number | boolean | null> | undefined;
+}
+export type AccessControlFunction = (args: AccessArgs) => boolean | WhereClause;
+export interface CollectionAccess {
+    readonly create?: AccessControlFunction | undefined;
+    readonly read?: AccessControlFunction | undefined;
+    readonly update?: AccessControlFunction | undefined;
+    readonly delete?: AccessControlFunction | undefined;
+    readonly admin?: AccessControlFunction | undefined;
+}
+export interface FieldAccess {
+    readonly create?: AccessControlFunction | undefined;
+    readonly read?: AccessControlFunction | undefined;
+    readonly update?: AccessControlFunction | undefined;
+}
+//# sourceMappingURL=access-types.d.ts.map

package/dist/access/access-types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"access-types.d.ts","sourceRoot":"","sources":["../../src/access/access-types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAEvD,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,GAAG,CAAC,EAAE;QAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GAAG,SAAS,CAAA;IACvE,QAAQ,CAAC,EAAE,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,IAAI,CAAC,GAAG,SAAS,CAAA;CAC7E;AAED,MAAM,MAAM,qBAAqB,GAAG,CAAC,IAAI,EAAE,UAAU,KAAK,OAAO,GAAG,WAAW,CAAA;AAE/E,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,MAAM,CAAC,EAAE,qBAAqB,GAAG,SAAS,CAAA;IACnD,QAAQ,CAAC,IAAI,CAAC,EAAE,qBAAqB,GAAG,SAAS,CAAA;IACjD,QAAQ,CAAC,MAAM,CAAC,EAAE,qBAAqB,GAAG,SAAS,CAAA;IACnD,QAAQ,CAAC,MAAM,CAAC,EAAE,qBAAqB,GAAG,SAAS,CAAA;IACnD,QAAQ,CAAC,KAAK,CAAC,EAAE,qBAAqB,GAAG,SAAS,CAAA;CACnD;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,MAAM,CAAC,EAAE,qBAAqB,GAAG,SAAS,CAAA;IACnD,QAAQ,CAAC,IAAI,CAAC,EAAE,qBAAqB,GAAG,SAAS,CAAA;IACjD,QAAQ,CAAC,MAAM,CAAC,EAAE,qBAAqB,GAAG,SAAS,CAAA;CACpD"}

package/dist/access/access-types.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=access-types.js.map

package/dist/access/access-types.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"access-types.js","sourceRoot":"","sources":["../../src/access/access-types.ts"],"names":[],"mappings":""}

package/dist/access/index.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export { resolveAccess } from './access-resolver.js';
+export type { AccessControlFunction, AccessArgs, CollectionAccess, FieldAccess } from './access-types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/access/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/access/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AACpD,YAAY,EAAE,qBAAqB,EAAE,UAAU,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA"}

package/dist/access/index.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export { resolveAccess } from './access-resolver.js';
2	+ //# sourceMappingURL=index.js.map

package/dist/access/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/access/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA"}

package/dist/admin/admin-routes.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { DbPool } from '@valencets/db';
+import type { CollectionRegistry } from '../schema/registry.js';
+import type { RestRouteEntry } from '../api/rest-api.js';
+interface AdminOptions {
+    readonly requireAuth?: boolean | undefined;
+}
+export declare function createAdminRoutes(pool: DbPool, collections: CollectionRegistry, options?: AdminOptions): Map<string, RestRouteEntry>;
+export {};
+//# sourceMappingURL=admin-routes.d.ts.map

package/dist/admin/admin-routes.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"admin-routes.d.ts","sourceRoot":"","sources":["../../src/admin/admin-routes.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,eAAe,CAAA;AAC3C,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAA;AAC/D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAiBxD,UAAU,YAAY;IACpB,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,GAAG,SAAS,CAAA;CAC3C;AAwCD,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,kBAAkB,EAC/B,OAAO,GAAE,YAAiB,GACzB,GAAG,CAAC,MAAM,EAAE,cAAc,CAAC,CAkG7B"}